[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Q] SA lookup on receive

To: Abraham R Matthews <amatthews@cosinecom.com>
Subject: Re: [Q] SA lookup on receive
From: Stephen Kent <kent@bbn.com>
Date: Wed, 20 May 1998 13:15:09 -0400
Cc: Stephen Kent <kent@po1.bbn.com>, ipsec@tis.com
In-Reply-To: <35608E01.B0725AFB@cosinecom.com>
References: <v0311072cb180f0de676d@[128.89.0.110]>
Sender: owner-ipsec@ex.tis.com

Abbie,

>I agree that the SA MUST be a tunnel mode if the SA was between
>the IPSec host/gateway and the IPSec gateway. However. I am
>considering the case where the SA is between 2 IPSec hosts and
>one of the routers in between is an IPSec gateway. The host _does
>not_ have an SA with the IPSec gateway.

If neither host is a party to an SA with the security gateway, then
processing of these transit packets is based on SPD entries defined for
BYPASSed traffic.

>In this case, the IPSec gateway receives an IPSec packet ... but
>the destination address in the "outer" header (or the header in
>the clear) is NOT one of the local addresses of the gateway.

No problem. If an inbound packet is not addresses to the SG, it will be
looked up in the SPD based on the selectors extracted from the outer
header.  If local policy allows transit of IPsec traffic, there should be
an entry that calls for this traffic to be bypassed.  In this case, no
IPsec processing is applicable, so the discussion on inbound traffic
processing in section 5.2 does not apply. We could do a better job of
describing inbound processing for transit traffic for security gateways.
Sorry for the confusion.

>A strict reading of the security architecture document would
>cause this packet to be dropped. Thus the request for the
>clarification. As I see it the input processing for the IPSec
>gateway probably should be:
>
>        If (not an IPSec packet)
>        {
>                look up in SPD and process accordingly
>        }
>        else
>        {
>                if (the destination is not local)
>                        look up in SPD and process accordingly
>                else
>                        look up in SAD and process according to
>ID

I would not make the top level decision based on whether the packet had AH
or ESP as the next protocol. The first decision is based on whether the
packet is addressed to the SG or not.  If not, then lookup in the SPD to
see whether the packet is to be bypassed or discarded.  Otherwise, if it is
addressed to the SG, and if it is IPsec, ...

Steve

References:

Re: [Q] SA lookup on receive

From: Stephen Kent <kent@po1.bbn.com>

Re: [Q] SA lookup on receive

From: Abraham R Matthews <amatthews@cosinecom.com>

Prev by Date: Re: combining SA proposals in IKE [was: Some questions]
Next by Date: mutiple phase 1 tunnel and proxy ID issues
Prev by thread: Re: [Q] SA lookup on receive
Next by thread: liability for selling bad crypto?
Index(es):
- Main
- Thread